By Adam Thierer & Jennifer Huddleston Skees

“ He’s making a list and checking it twice. Gonna find out who’s naughty and nice .”

With the Christmas season approaching, apparently it’s not just Santa who is making a list. The Trump Administration has just asked whether a long list of emerging technologies are naughty or nice — as in whether they should be heavily regulated or allowed to be developed and traded freely.

If they land on the naughty list, these technologies could be subjected to complex export control regulations, which would limit research and development efforts in many emerging tech fields and inadvertently undermine U.S. innovation and competitiveness. Worse yet, it isn’t even clear there would be any national security benefit associated with such restrictions.  

From Light-Touch to a Long List

Generally speaking, the Trump Administration has adopted a “light-touch” approach to the regulation of emerging technology and relied on more flexible “soft law” approaches to high-tech policy matters. That’s what makes the move to impose restrictions on the trade and usage of these emerging technologies somewhat counter-intuitive. On November 19, the Department of Commerce’s Bureau of Industry and Security launched a “ Review of Controls for Certain Emerging Technologies .” The notice seeks public comment on “criteria for identifying emerging technologies that are essential to U.S. national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage.”

The Commerce Department has long sought to control the use of such technologies through a combination of methods, including formal export controls. The process for establishing such controls was clumsily cobbled together over time, so Congress passed the Export Control Reform Act of 2018 (ECRA) to formalize these regulations. ECRA requires that the President formulate an interagency process to coordinate these rules with the goal of creating, “a regular and robust process to identify the emerging and other types of critical technologies of concern, as defined in United States foreign direct investment laws, and regulate their release to foreign persons as warranted regardless of the nature of the underlying transaction.” As part of this process, the Commerce Department is to create a list “of foreign persons and end-uses that are determined to be a threat to the national security and foreign policy of the United States . . .  and to whom exports, reexports, and transfers of items are controlled.”

Sweeping Breadth

That is what prompted the Trump Administration’s recent Emerging Technologies notice, which includes is a remarkably sweeping list of technologies that the Commerce Department is considering for the exports controls list. The list has 14 major categories:

(1) Biotechnology

(2) Artificial intelligence

(3) Position, Navigation, and Timing (PNT) technology

(4) Microprocessor technology

(5) Advanced computing technology

(6) Data analytics technology

(7) Quantum information and sensing technology

(8) Logistics technology

(9) Additive manufacturing / 3D printing

(10) Robotics

(11) Brain-computer interfaces

(12) Hypersonics

(13) Advanced materials

(14) Advanced surveillance technologies

The Department’s 14-category list also includes over 40 itemized examples of specific applications. For example, the “artificial intelligence” category alone includes a list of 11 applied types of AI, from AI cloud technologies and chipsets to neural networks to speech and audio processing.

The breadth of this list is remarkable in that it touches almost every emerging technology sector imaginable. It might have been easier for the Commerce Department to simply list those emerging technologies that will not be subject to review for potential export controls. It is an “everything-but-the-kitchen-sink” approach to emerging technology policy oversight and regulation that could clearly have far reaching consequences beyond national security.

There are some obvious dangers with such an open-ended review and it is important to remember these technologies have many beneficial applications as well as any potential risks.

Threatening Beneficial Uses

First, the potential export regulations create the danger of negative spillover effects that could undermine beneficial uses of each technology listed . All of the technologies listed have already been used in many ways that benefit both consumers and businesses. Limitations on their export could limit their availability or prevent improvements due to concerns that such broad interpretations of restrictions could limit the market.

For example, the regulation of AI mentioned above would not only address concerns about how AI might be used in weapons, but could even undermine the export of technology that has become a part of our everyday lives such as Siri in iPhones and Amazon’s Alexa. While the department claims that it seeks to “avoid negatively impacting U.S. leadership in the science, technology, engineering, and manufacturing sectors,” it is unlikely that any but the most narrowly tailored rules could actually avoid having a negative impact on innovation in the named technologies .

The more general purpose a technology the more difficult it will be to control the potential impact on the beneficial uses of the technology as well as the negative impacts. In fact, in some cases such as AI and robotics it can even be difficult to define what the technology is, because it is typically the applications and not the technology more generally that is being discussed and regulated. In many cases, the anti-export regulations would or could at least signal to entrepreneurial innovators that their time is better spent on other technologies or that their work should be taken elsewhere and risks the U.S. falling behind other countries in these important innovative areas.  

Undermining International Competitiveness

Second, the inquiry could undermine U.S. competitiveness by encouraging more offshoring in a world of innovation arbitrage opportunities . With our increasingly connected global economy and specifically the more mobile nature of many emerging technologies, it is becoming easier for innovators who find themselves subjected to onerous regulations in one country to move their research and development efforts to another. This is sometimes referred to as “ innovation arbitrage .”

While the U.S. remains a leader in attracting innovators, this scenario has already played out several times. For example, Amazon moved its drone testing program to the UK rather than test in the US due in large part to FAA regulations regarding drones. Similarly, 23andme also initially took its direct-to-consumer genetic testing abroad after the FDA threatened to shut down their product.

Heavily regulating the export of general applications of these technologies could actually backfire and encourage innovators to take their research to countries like China where they do not face such regulations. R. David Edelman, the director of the Project on Technology, the Economy, and National Security at MIT, has noted that while the inquiry might be “intended to help US companies be more competitive,” the reality is that “it would almost certainly give Chinese companies that don’t face those same restrictions a sizable advantage in the playing field.”

Moreover, if export controls undermine domestic innovation and competitiveness in this fashion and benefit developers in other countries, it means the U.S. will have less of a say over the ethical development of many important technologies. Bloomberg contributor Noah Smith observes that , when it comes to the global race for hegemony in genetic sciences, China is poised to take the lead. “If the U.S. shies away from developing genetic-engineering technology, these riches will flow to China, or to whatever other countries seize the technological edge,” he notes. That would be problematic not just from a competitive perspective, but also from an ethical perspective, because America would have less of a say in guiding the development of these important but controversial technologies. “Dystopian outcomes are also less likely with the U.S. at the helm,” Smith believes.

Limiting or Ending Technologies Consumers Already Enjoy

Third, the inquiry could pose a threat to everyday consumer technologies that are already widely distributed . The most interesting thing about the technologies listed in the notice is that many of them have moved well beyond the “emerging” phrase of development. They are already out in the wild and being used by people every day.

For example, among the AI technologies listed in the notice are “speech and audio processing (e.g., speech recognition and production)” as well as, “natural language processing (e.g., machine translation).” We already enjoy a great many services such as those today, including Siri and Alexa. Meanwhile, there are technologies already on the market that help disabled and autistic children communicate and interact with their peers using AI and robotics.

For example, the KASPAR robot helps children with such disabilities learn social skills to interact with their peers and teach conversational skills. Similarly, technology that translates apparently nonverbal sounds and other methods of communication into speech via apps and other technology with various voices that others can understand could be subject to development ending regulations or be unable to help children in other countries if the proposed export restrictions are phrased too broadly. Not only might new restrictions limit the development of new technologies, it could even limit or eliminate those that we have already embraced and improved the lives of many.

Risk to Research & Open-Source Efforts

Fourth, the expansion of export controls for many of the technologies listed in the inquiry opens the door to widespread policing of open source coding and communications , but offers no explanation of how that would even work. A large number of the technologies on the Commerce Department list have both commercial and non-commercial applications. Innovation scholars use terms like “ free innovation ” and “social entrepreneurialism” to describe innovative efforts that are undertaken by individuals or groups of people to pursue a broader array of social goals or values beyond just profit-seeking.

A prominent example of social entrepreneurs engaging in free innovation involves the use of 3D printers and open source designs to voluntarily create prosthetics for children with limb deficiencies. What happens to collaborative, non-commercial innovations like that if export controls are suddenly imposed on additive manufacturing technologies by the Department of Commerce? If one participant is based outside the US, is that sufficient to subject such collaboration to export controls? What, exactly, would be subjected to controls? The 3D printers? The open source blueprints? The website hosting such information? It is difficult to imagine how such regulation would work in practice but it is easy to imagine the effect it would have if pursued: It would create a massive chilling effect on many beneficial forms of innovation and simultaneously threaten freedom of speech and academic research.

This same problem could play out in many other technology fields listed in the Commerce Department notice, including: robotics, speech recognition, biotechnology, and genetic engineering, among many others often engage in open and cross-border collaboration for open source development. Free innovation and social entrepreneurialism are expanding rapidly in these and other emerging technology arenas. Thus, export control regulation can no longer hinge on going after “deep-pocketed” corporations looking to sell physical systems. To be truly effective, regulations will need to cover bottom-up, “grassroots” innovation. But that move will have profound ramifications for the freedom to freely tinker with or even freely research important technologies and technological processes.

Dubious National Security Benefits

There’s a final danger associated with this effort: it might not help advance America’s national security objectives , and could even hinder them.

To the extent that ECRA and this new Department of Commerce effort lead to heightened scrutiny for the many dozens of technologies identified, it could undermine research and development efforts in many of those fields. It could do so directly (by formally limiting or forbidding domestic R&D efforts) or indirectly (by incentivizing many domestic emerging tech innovators to move their operations offshore, or discouraging foreign developers from setting up shop here). Not only would such actions risk the US losing its lead in innovation, it could actually result in such regulations backfiring from a national security perspective.  

At the end of the day, the problem here is that Congress is failing to clearly identify what is “essential to the national security of the United States.” ECRA just passes the buck on that thorny question to the Commerce Department for a laundry list of emerging technologies. By soliciting public input, the best hope here is that experts in these various emerging technology sectors will step forward and identify the trade-offs associated with inclusion of most of these technologies on the export controls list. Hopefully, the list would then be narrowed the much smaller class of applied technologies that have a very real, immediate, and clearly catastrophic potential for harm to the national security interests of the nation. That would have been the better way to begin this process, but Congress and the Administration have instead adopted the opposite approach here and now we must hope that they are willing to significantly pare back the list of technologies even being considered for inclusion.

Back to the Crypto Wars?

In a sense, this debate was foreshadowed by the debate in the late 1990s over export controls for encryption technologies. As encryption emerged , law enforcement and national security agencies were concerned about its potential use by bad actors to hide or destroy evidence or information by using encrypted devices or services and sought to require backdoors to be able to access encrypted data and to restrict the export of certain types of encryption and certain encrypted devices. Such requirements, as the Information Technology & Innovation Foundation’s Daniel Castro and Alan McQuinn pointed out, would actually reduce the security of everyday Americans to cyber attacks, negatively impact U.S. businesses’ global competitiveness, and reduce the competitiveness and innovation of the technology sector not only in encryption but in related fields as well.

Luckily, many of these concerns were avoided and encryption restrictions have been narrowly tailored. Recent tensions between the FBI and tech companies like Apple illustrate that this debate is far from settled. Now it seems that the Commerce Department’s proposed restrictions could create the same vulnerabilities more broadly for a great number of emerging technologies.

“Soft Law” & Next Steps

In some ways this move to regulate technologies via export restrictions shows the dark side of the growing trend of “soft law.” Soft law, as we discuss in more detail in our forthcoming paper , includes regulatory actions such as guidance documents, working groups, sandboxing, and many other informal regulatory mechanisms. Such mechanisms are often used to regulate emerging technologies in the absence of formal actions or because the traditional policymaking apparatus cannot keep pace with the rapid evolution of technology. In many cases soft law has been used to accelerate technological development that otherwise might have been limited by traditional hard law.

But where soft law thrives in the vacuum left by a lack of formal delegation and regulation, this inaction also poses risks. Agencies like the Commerce Department could extend amorphous powers over emerging technologies without the expertise to fully understand the way such regulations might negatively affect beneficial technological developments, which are typically hard to predict in advance.

A smarter approach to export controls for emerging technologies begins with a rational assessment of:

1. a more robust evaluation of what really constitutes a tangible, immediate, irreversible, and catastrophic harm to the national security interests of the United States;
2. the practicality of proposed controls for any emerging technologies considered for inclusion on the list;
3. the wisdom of placing technologies on the list which already have been developed or marketed overseas (or appear poised to be); and,
4. the potential unintended consequences that any new export controls might have on the innovative potential of American creators and companies, the future of research in important sectors, the free flow of knowledge regarding peaceful applications, and the competitive standing of the United States relative to other countries.
5. whether catastrophic concerns about emerging technologies might be better addressed through multilateral accords or agreements aimed at achieving global consensus regarding inappropriate use and applications (as has been done in chemical weapon treaties and nuclear non-proliferation efforts).

Several specific technologies may still qualify for inclusion on the export controls list after such an evaluation, but it will start with a more limited approach and then expand as necessary. Such an approach assumes that in general purpose technology is not a threat until proven otherwise. By inverting the process in this fashion, the Administration wouldn’t be treating every emerging technology under the sun as guilty until proven innocent; innovations would be allowed to flourish naturally until the potential for harm is well-documented.

Unfortunately, the Commerce Department’s proposed approach does just the opposite and risks minimizing the benefits of these emerging technologies while doing little to advance national security interests in a meaningful way.

[Note: I later adapted this essay into a short book, which you can download for free here.]

Let’s talk about “permissionless innovation.” We all believe in it, right? Or do we? What does it really mean? How far are we willing to take it? What are its consequences? What is its opposite? How should we balance them?

What got me thinking about these questions was a recent essay over at The Umlaut by my Mercatus Center colleague Eli Dourado entitled, “‘Permissionless Innovation’ Offline as Well as On.” He opened by describing the notion of permissionless innovation as follows:

In Internet policy circles, one is frequently lectured about the wonders of “permissionless innovation,” that the Internet is a global platform on which college dropouts can try new, unorthodox methods without the need to secure authorization from anyone, and that this freedom to experiment has resulted in the flourishing of innovative online services that we have observed over the last decade.

Eli goes on to ask, “why it is that permissionless innovation should be restricted to the Internet. Can’t we have this kind of dynamism in the real world as well?”

That’s a great question, but let’s ponder an even more fundamental one: Does anyone really believe in the ideal of “permissionless innovation”? Is there anyone out there who makes a consistent case for permissionless innovation across the technological landscape, or is it the case that a fair degree of selective morality is at work here? That is, people love the idea of “permissionless innovation” until they find reasons to hate it — namely, when it somehow conflicts with certain values they hold dear.

I’ve written about this here before when referencing the selective morality we often see at work in debates over online safety, digital privacy, and cybersecurity. [See my essays: “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed;” “Privacy as an Information Control Regime: The Challenges Ahead,” and “And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars.“] In those essays, I’ve noted how ironic it is that the same crowd that preaches about how essential permissionless innovation is when it comes to overly-restrictive copyright laws are often among the first to advocate “permissioned” regulations for online data collection and advertising practices. I also noted how many conservatives who demand permissionless innovation on the economic / infrastructure front are quick to call for preemptive content controls to restrict objectionable online content, and a handful of them want “permissioned” cybersecurity rules.

Of course, it’s not really all that surprising that people wouldn’t hold true to the ideal of “permissionless innovation” across the board because at some theoretical point almost every technology has a use scenario that someone — perhaps many of us — would want to see restricted. How do we know when it makes sense to impose some restrictions on innovation to make it more “permissioned”?

The Range of Options

I spend a lot of time thinking about that question these days. The sheer volume and diversity of interesting innovations that surround us today — or that are just on the horizon — are forcing us to struggle both individually and collectively with our tolerance for unabated innovation. Here are just a few of the issues I’m thinking of (many of which I am currently writing about) where these questions come up constantly:

• Online data aggregation / targeted advertising
• Commercial drones
• 3D printing
• Facial recognition & biometrics
• Wearable computing
• Geolocation / Geotagging / RFID
• Robotics
• Nanotechnology

When thinking about innovation in these spaces, it is useful to consider a range of theoretical responses to new technological risks. I developed such a model in my new Minnesota Journal of Law, Science & Technology article on, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.” In that piece,  I identify four general responses and place them along a “risk response continuum”:

1. Prohibition: Prohibition attempts to eliminate potential risk through suppression of technology, product or service bans, information controls, or outright censorship.
2. Anticipatory Regulation: Anticipatory regulation controls potential risk through preemptive, precautionary safeguards, including administrative regulation, government ownership or licensing controls, or restrictive defaults. Anticipatory regulation can lead to prohibition, although that tends to be rare, at least in the United States.
3. Resiliency: Resiliency addresses risk through education, awareness building, transparency and labeling, and empowerment steps and tools.
4. Adaptation: Adaptation involves learning to live with risk through trial-and-error experimentation, experience, coping mechanisms, and social norms. Adaptation strategies often begin with, or evolve out of, resiliency-based efforts.

While these risk-response strategies could also describe the possible range of responses that individuals or families might employ to cope with technological change, generally speaking, I am here using this framework to consider the theoretical responses by society at large or governments. That allows us to bring three general policy concepts into the discussion:

1. “Permissionless Innovation“: Complete freedom to experiment and innovate.
2. “Permissioned Innovation“: General freedom to experiment and innovate, but with possibility that innovation might later be restricted in some fashion.
3. “The Precautionary Principle“: New innovations are discouraged or even disallowed until their developers can prove that they won’t cause any harms.

Here’s how I put all these concepts together in one image:

This gives us a framework to consider responses to various technological developments we are struggling with today. But how do we decide which response makes the most sense for any given technology? The answer will come down to a complicated (and often quite contentious) cost-benefit analysis that weighs the theoretical harms of technological innovation alongside the many potential benefits of ongoing experimentation.

The Case for Permissionless Innovation or an “Anti-Precautionary Principle”

I believe a strong case can be made that permissionless innovation should be our default position in public policy deliberations about technological change. Here’s how I put it in the conclusion of my “Technopanics” article:

Resiliency and adaption strategies are generally superior to more restrictive approaches because they leave more breathing room for continuous learning and innovation through trial-and-error experimentation. Even when that experimentation may involve risk and the chance of mistake or failure, the result of such experimentation is wisdom and progress. As Friedrich August Hayek concisely wrote, “Humiliating to human pride as it may be, we must recognize that the advance and even preservation of civilization are dependent upon a maximum of opportunity for accidents to happen.”

I believe this is the more sensible default position toward technological innovation because the opposite default — a technological Precautionary Principle — essentially holds the “anything new is guilty until proven innocent,” as journalist Ronald Bailey has noted in critiquing the notion. When the law mandates “play it safe” as the default policy toward technological progress, progress is far less likely to occur at all. Social learning and adaptation become less likely, perhaps even impossible, under such a regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

Therefore, the default policy disposition toward innovation should be an ” anti-Precautionary Principle.” Paul Ohm outlined that concept in his 2008 article, “The Myth of the Superuser: Fear, Risk, and Harm Online.” Ohm, who recently joined the Federal Trade Commission as a Senior Policy Advisor, began his essay by noting that “Fear of the powerful computer user, the ‘Superuser,’ dominates debates about online conflict,” but that this superuser is generally “a mythical figure” concocted by those who are typically quick to set forth worst-case scenarios about the impact of digital technology on society. Fear of the “superuser” and hypothetical worst-case scenarios prompts policy action, since as Ohm notes: “Policymakers, fearful of his power, too often overreact by passing overbroad, ambiguous laws intended to ensnare the Superuser but which are instead used against inculpable, ordinary users.” “This response is unwarranted,” Ohm argues “because the Superuser is often a marginal figure whose power has been greatly exaggerated.” (at 1327).

Ohm correctly notes that Precautionary Principle policies are often the result. He prefers the “anti-Precautionary Principle” instead, which he summarized as follows: “when a conflict involves ordinary users in the main and Superusers only at the margins, the harms resulting from regulating the few cannot be justified.” (at 1394) In other words, policy should not be shaped by hypothetical fears and worst-case “boogeyman” scenarios. He elaborates as follows:

Even if Congress adopts the Anti-Precautionary Principle and begins to demand better empirical evidence, it may conclude that the Superuser threat outweighs the harm from regulating. I am not arguing that Superusers should never be regulated or pursued. But given the checkered history of the search for Superusers — the overbroad laws that have ensnared non-Superuser innocents; the amount of money, time, and effort that could have been used to find many more non-Superuser criminals; and the spotty record of law enforcement successes — the hunt for the Superuser should be narrowed and restricted. Policymakers seeking to regulate the Superuser can adopt a few strategies to narrowly target Superusers and minimally impact ordinary users. The chief evil of past efforts to regulate the Superuser has been the inexorable broadening of laws to cover metaphor-busting, impossible-to-predict future acts. To avoid the overbreadth trap, legislators should instead extend elements narrowly, focusing on that which separates the Superuser from the rest of us: his power over technology. They should, for example, write tightly constrained new elements that single out the use of power, or even, the use of unusual power. (at 1396-7)

To summarize, the Anti-Precautionary Principle generally holds that:

1. society is better off when innovation is not preemptively restricted;
2. accusations of harm and calls for policy responses should not be premised on worst-case scenarios;  and,
3. remedies to actual harms should be narrowly tailored so that beneficial uses of technology are not derailed.

Alternatives to Precaution / Permissioning

I don’t necessarily believe that the “anti-Precautionary Principle” or the norm of “permissionless innovation” should hold in every case.  Neither does Ohm. In fact, in his recent work on privacy and online data collection, Ohm betrays his own rule. He does so too casually, I think, and falls prey to the very “Superuser” boogeyman fears he lamented earlier.

For example, in his latest law review article on “Branding Privacy,” Ohm argues that “Change can be deeply unsettling. Human beings prefer predictability and stability, and abrupt change upsets those desires. . . . Rapid change causes harm by disrupting settled expectations” (at 924). His particular concern is the way that corporate privacy policies continue to evolve and generally in the direction of allowing more and more sharing of personal information. Ohm believes that this is a significant enough concern that, at a minimum, companies should be required to assign a new name to any service or product if a material change was made to its information-handling policies and procedures.  For example, if Facebook or Google wanted to make a major change to their services in the direction of greater information sharing, they have to change their names (at least for a time) to something like Facebook Public or Google Public.

Before joining the FTC, Ohm also authored a panicky piece for the Harvard Business Review that outlined a worst-case scenario “database of ruin” that will link our every past transgression and most intimate secret. This fear led him to argue that:

We need to slow things down, to give our institutions, individuals, and processes the time they need to find new and better solutions. The only way we will buy this time is if companies learn to say, “no” to some of the privacy-invading innovations they’re pursuing. Executives should require those who work for them to justify new invasions of privacy against a heavy burden, weighing them against not only the financial upside, but also against the potential costs to individuals, society, and the firm’s reputation.

Applying the Model to Online Safety & Digital Privacy

I’d argue that this “bottom-up” model of coping with technological change is already at work in many areas of modern society. In my “Technopanics” paper, I note that this pretty much the approach we’ve adopted for online safety concerns, at least here in the United States. Very little innovation (or content) is prohibited or even permissioned today. Instead, we rely on other mechanisms: User education and empowerment, informal household media rules, social pressure, societal norms, and so on. [I’ve documented this in greater detail in this booklet.]

Fifteen years ago, there were many policymakers and policy activists who advocated a very different approach: indecency rules for the Net, mandatory filtering schemes, mandatory age verification, and so on. But that prohibitionary and permission-based approach lost out to the resiliency and adaptation paradigm. As a result, innovation and freedom speech continues relatively unabated.  That doesn’t mean everything is sunshine and roses. The Web is full of filth, and hateful things are said every second of the day across digital networks. But we are finding other ways to deal with those problems — not always perfectly, but well enough to get by and allow innovation and speech to continue. When serious harms can be identified — such as persistent online bullying or predation of youth — targeted legal remedies have been utilized.

In two forthcoming law review articles (for the  Harvard Journal of Law & Public Policy and the George Mason Law Review), I apply this same framework to concerns about commercial data collection and digital privacy. I conclude the Harvard essay by noting that:

Many of the thorniest social problems citizens encounter in the information age will be better addressed through efforts that are bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. That framework is the best approach to address personal privacy protection. Evolving social and market norms will also play a role as citizens incorporate new technologies into their lives and business practices. What may seem like a privacy-invasive practice or technology one year might be considered an essential information resource the next. Public policy should embrace—or at least not unnecessarily disrupt—the highly dynamic nature of the modern digital economy.

Two additional factors shape my conclusion that this framework makes as much sense for privacy as it does for online child safety concerns. First, the effectiveness of law and regulation on this front is limited by the normative considerations. The inherent subjectivity of privacy as a personal and societal value is one reason why expanded regulation is not sensible. As with online safety, we have a rather formidable “eye of the beholder” problem at work here. What we need, therefore, are diverse solutions for a diverse citizenry, not one-size-fits-all top-down regulatory solutions that seek to apply to values of the few on the many.  Second, enforcement challenges must be taken into consideration. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright. It will be increasingly difficult and costly to enforce top-down regulatory regimes (assuming we can even agree to common privacy standards), therefore, alternative approaches to privacy protection should be considered.

Of course, some alleged privacy harms involve highly sensitive forms of personal information and can do serious harm to person or property. Our legal regime has evolved to handle those harms. We have targeted legal remedies for health and financial privacy violations, for example, and state torts to fill other gaps. Meanwhile, the FTC has broad discretion under Section 5 of the Federal Trade Commission Act to pursue “unfair and deceptive practices,” including those that implicate privacy. These remedies are more “bottom-up” in character in that they leave sufficient breathing room for ongoing experimentation and innovation but allow individuals to pursue remedies for egregious harms that can be proven.

Applying the Model Elsewhere

We can apply this model more broadly. Let’s pick an issue that’s been in the news recently: concerns about Google Glass and fears about “wearable computing” more generally, which Jerry Brito wrote about earlier today. Google Glass hasn’t even hit the market yet, but the privacy paranoia has already kicked into high gear. Andrew Keen argues that “Google Glass opens an entirely new front in the digital war against privacy” and that “It is the sort of radical transformation that may actually end up completely destroying our individual privacy in the digital 21st century.” His remedy: “I would make data privacy its default feature. Nobody else sees the data I see unless I explicitly say so. Not advertisers, nor the government, and certainly not those engineers of the human soul at the Googleplex. No, Google Glass must be opaque. For my eyes only.”

There’s even more fear and loathing to be found in this piece by Mark Hurst entitled, “The Google Glass feature no one is talking about.” That feature would be Glass’s ability to record massive amounts of video and audio in both public and private spaces. In reality, plenty of people are talking about that feature and wringing the hands about its implications for our collective privacy. Also see, for example, Gary Marshall’s essay, “Google Glass: Say Goodbye to Your Privacy.”

But Google Glass is just the beginning. For another example of a wearable computing technology that is bound to raise concern once it goes mainstream, check out the Memoto Lifelogging Camera. Here’s the description from the website:

The Memoto camera is a tiny camera and GPS that you clip on and wear. It’s an entirely new kind of digital camera with no controls. Instead, it automatically takes photos as you go. The Memoto app then seamlessly and effortlessly organizes them for you. . . . As long as you wear the camera, it is constantly taking pictures. It takes two geotagged photos a minute with recorded orientation so that the app can show them upright no matter how you are wearing the camera. . . . The camera and the app work together to give you pictures of every single moment of your life, complete with information on when you took it and where you were. This means that you can revisit any moment of your past.

Of course, that means you will also be able to revisit many moments from the lives of others who may have been around you while your Memoto Camera was logging your life. So, what are we going to do about Google Glass, Memoto, and wearable computing? Well, for now I hope that our answer is: nothing. This technology is not even out of the cradle yet and we have no idea how it will be put to use by most people. I certainly understand some of the privacy paranoia and worst-case scenarios that some people are circulating these days. As someone who deeply values their own privacy, and as the father of two digital natives who are already begging for more and more digital gadgets, I’ve already thought about a wide variety of worse-case scenarios for me and my kids.

But we’ve been here before. In my Harvard essay, I go back and track privacy panics from the rise of the camera and public photography in the late 1800s all the way down to Gmail in the mid-2000s and note that societal attitudes quickly adjusted to these initially unsettling technologies. That doesn’t mean that all the concerns raised by those technologies disappeared. A century after Warren and Brandeis railed against the camera and called for controls on public photography, many people are still complaining about what people can do with the devices. And although 425 million people now use Gmail and love the free service it provides, some vociferous privacy advocates are still concerned about how it might affect our privacy. And the same is true of a great many other technologies.

But here’s the key question: Are we not better off because we have allowed these technologies to develop in a relatively unfettered fashion? Would we have been better off imposing a Precautionary Principle on cameras and Gmail right out of the gates and then only allowing innovation once some techno-philosopher kings told us that all was safe? I would hope that the costs associated with such restrictions would be obvious. And I would hope that we might exercise similar policy restraint when it comes to new technologies, including Google Glass, Memoto, and other forms of wearable computing. After all, there are a a great many benefits that will come from such technologies and it is likely that many (perhaps most) of us will come to view these tools as an indispensable part of our lives despite the privacy fears of some academics and activists. As Brito notes in his essay on the topic, “in the long run, the public will get the technology it wants, despite the perennial squeamishness of some intellectuals.”

How will we learn to cope? Well, I already have a speech prepared for my kids about the proper use of such technologies that will build on the same sort of “responsible use” talk I have with them about all their other digital gadgets and the online services they love. It won’t be an easy talk because part of it will involve the inevitable chat about responsible use in very personal situations, including times when they may be involved in moments of intimacy with others. But this is the sort of uncomfortable talk we need to be having at the individual level, the family level, and the societal level. How can social norms and smart etiquette help us teach our children and each other responsible use of these new technologies? Such a dialogue is essential since, no matter how much we might hope for these new technologies and the problems they raise might just go away, they won’t.

In those cases where serious harms can be demonstrated — for example “peeping Toms” who use wearable computing to surreptitiously film unsuspecting victims — we can use targeted remedies already on the books to go after them. And I suspect that private contracts might play a stronger role here in the future as a remedy. Many organizations (corporations, restaurants, retail establishments, etc) will want nothing to do with wearable computing on their premises. I can imagine that they may be on the front line of finding creative contractual solutions to curb the use of such technologies.

Embracing Permissionless Innovation While Rejecting “The Borg Complex”

One final point. It is essential that advocates of the “anti-Precautionary Principle” and the ideal of “permissionless innovation” avoid falling prey to what philosopher Michael Sacasas refers to as “the Borg Complex“:

A Borg Complex is exhibited by writers and pundits who explicitly assert or implicitly assume that resistance to technology is futile. The name is derived from the Borg, a cybernetic alien race in the Star Trek universe that announces to their victims some variation of the following: “We will add your biological and technological distinctiveness to our own. Resistance is futile.”

Indeed, too often in digital policy texts and speeches these days, we hear pollyannish writers adopting a cavalier attitude about the impact of technological change on individuals and society. Some extreme technological optimists are highly deterministic about technology as an unstoppable force and its potential to transform man and society for the better. Such rigid technological determinism and wild-eyed varieties of cyber-utopianism should be rejected. For example, as I noted in my review of Kevin Kelly’s What Technology Wants, “Much of what Kelly sputters in the opening and closing sections of the book sounds like quasi-religious kookiness by a High Lord of the Noosphere” and that “at times, Kelly even seems to be longing for humanity’s assimilation into the machine or The Matrix.”

I discussed this problem in more detail in my chapter on “The Case for Internet Optimism, Part 1,” which appeared in the book, The Next Digital Decade. I noted that technological optimists need to appreciate that, as Neil Postman argued, there are some moral dimensions to technological progress that deserve attention. Not all changes will have positive consequences for society. Those of us who espouse the benefits of permissionless innovation as the default rule must simultaneously be mature enough to understand and address the downsides of digital life without casually dismissing the critics.  A “just-get-over-it” attitude toward the challenges sometimes posed by technological change is never wise. In fact, it is downright insulting.

For example, when I am confronted with frustrated fellow parents who are irate about some of the objectionable content their kids sometimes discover online, I never say, “Well, just get over it!” Likewise, when I am debating advocates of increased privacy regulation who are troubled by data aggregation or targeted advertising, I listen to their concerns and try to offer constructive alternatives to their regulatory impulses. I also ask them to think through to consequences of prohibiting innovation and to realize that not everyone shares their same values when it comes to privacy. In other words, I do not dismiss their concerns, no matter how subjective, about the impact of technological change on their lives or the lives of their children. But I do ask them to be careful about imposing their value judgments on everyone else, especially by force of law. I am not harping at them about how “Resistance is futile,” but I am often explaining to them why a certain amount of societal and individual adaptation will be necessary and that building coping mechanisms and strategies will be absolutely essential. I also share tips about the tools and strategies they can tap to help protect their privacy and specifically how it is easier (and cheaper) than ever to find and use ad preference managers, private browsing tools, advertising blocking technologies, cookie-blockers, web script blockers, Do Not Track tools, and reputation protection services. This is all part of the resiliency and adaptation paradigm.

Conclusion

In closing, it should be clear by now that I am fairly bullish about humanity’s ability to adapt to technological change; even radical change. Such change can be messy, uncomfortable, and unsettling, but the amazing thing to me is how we humans have again and again and again found ways to assimilate new tools into our lives and marched boldly forward. On occasion, we may need to slow down that process a bit when it can be demonstrated that the harms associated with technological change are unambiguous and extreme in character. But I think a powerful case can be made that, more often than not, we can and do find ways to effectively adapt to most forms of change by employing a variety of coping mechanisms. We should continue to allow progress through trial-and-error experimentation — in other words, through permissionless innovation — so that we can enjoy the many benefits that accrue from this process, including the benefits of learning from the mistakes that we will sometimes along the way.

Hmmm… What am I missing? I cannot lay my finger on a single line in the Communications Act of 1934, the Telecommunications Act of 1996, or any statute in between that gives the Federal Communications Commission (FCC) the authority to regulate cloud computing.  And yet, like any good stickler for jurisdictional authority, my PFF colleague Barbara Esbin keeps bringing to my attention little FCC chirps here and there which suggest that the agency is slowly positioning itself to become the Federal Cloud Commission. For example, back in September, Barbara brought to my attention this passage in the Commission’s recent Wireless Innovation and Investment Notice of Inquiry, (paragraph 60, pg. 21):

As other approaches, such as cloud computing, evolve, will established standards or de facto standards become more important to the applications development process? For example, can a dominant cloud computing position raise the same competitive issues that are now being discussed in the context of network neutrality? Will it be necessary to modify the existing balance between regulatory and market forces to promote further innovation in the development and deployment of new applications and services?

In my earlier essay about this, I noted that these questions should serve as a wake-up call for Google and other cloud-based providers who think that “neutrality” mandates will end at the infrastructure layer of the Net.  As Berin Szoka and I argued in our paper on “high-tech mutually assured destruction,” regulatory regimes grow but almost never contract.  And I’m even less optimistic about the FCC limiting its regulatory aspirations after the latest thing Barbara Esbin brought to my attention.

Today, as part of the Commission’s ongoing effort to develop a National Broadband Plan, the FCC released a request for information “on data portability and its relationship to broadband.”  (NBP Public Notice #21) “The Commission seeks tailored comment on broadband and portability of data and their relation to cloud computing, transparency, identity, and privacy,” the notice says.  Here was the second item on the list of things the Commission said it was investigating:

Cloud computing. When considering the portability of data, we also consider the processes through which data are moved. In this context, we seek comment on how to identify and understand cloud computing as a model for technology provisioning.

1. The National Institute of Standards and Technology defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Does this definition accurately capture the concept of cloud computing?
2. What types of cloud computing exist (e.g., public, hybrid, and internal) and what are the legal and regulatory implications of their use?
3. Can present broadband network configurations handle a large-scale shift in bandwidth usage that a rapid adoption of cloud computing might cause?
4. How does cloud computing affect the reliability, scalability, security, and sustainability of information and data?
5. To what extent can the federal government leverage cloud solutions to improve intra-agency processes, intergovernmental coordination, and civic participation?
6. What impact do developments in cloud computing have with respect to broadband deployment, adoption, and use?
7. How can various parties leverage cloud computing to obtain economic or social efficiencies? Is it possible to quantify the efficiencies gained?
8. To what extent are consumers protected by industry self-regulation (e.g., the Cloud Computing Manifesto), and to what extent might additional protections be needed?
9. What specific privacy concerns are there with user data and cloud computing?
10. What precautions should government agencies take to prevent disclosure of personal information when providing data?
11. Is the use of cloud computing a net positive to the environment? Are there specific studies that quantify the environmental impact of cloud computing?

I suppose some might claim there’s nothing wrong with the FCC looking into these issues, and that the agency’s interest in cloud computing is entirely benign.  But when it read all these questions about cloud computing in recent FCC notices, I can’t help but thinking about the potential for regulatory creep.  Eventually, when a regulatory agency asks enough questions — especially the sort of questions bolded above — it leads to more agency oversight.  And more agency oversight typically leads to some sort of agency regulation.

Or perhaps I’m just being paranoid.

Regardless, at a minimum, would someone at least tell me where the FCC gets the authority to even ask these questions?  Or do we live in such a Bold New World of progressive government that little encumbrances like statutory authority can be thrown to the wind?   Years from now, some might look back and ask the question that Nobel Prize-winning economist Ronald Coase asked 50 years ago about the FCC and spectrum regulation:  “How did the commission come to acquire this power?”  But I’d like to know the answer to that question right now regarding the FCC’s growing interest in cloud computing.

In episode #44 of “Tech Policy Weekly,” Berin Szoka and Adam Thierer engage in a debate with Internet security expert Chris Soghoian, who is a student fellow at the Berkman Center for Internet & Society at Harvard University. He is also a Ph.D. candidate at Indiana University’s School of Informatics.

Chris is an up-and-coming star in the field of cyberlaw and technology policy as he has quickly made a name for himself in debates over privacy policy, data security, and government surveillance.  He straddles the line between academic and activist, and the role he often plays in many tech policy debates is somewhat akin to what Ralph Nader has done in many other fields through the years. Except, in this case, instead of “Unsafe at Any Speed” it’s more like “Unsafe at Any Setting,” since Chris is often raising a stink about what he regards as unjust or unreasonable privacy or security settings that various online websites or service providers use.

On the show, Chris talks about two of his recent crusades to get certain online providers to change their default settings to improve user security or privacy: (1) His effort this week to get major email providers—and Google in particular—to change their default security settings on their email offerings; and (2) his earlier crusade to create permanent opt-out cookies to stop behavioral advertising by advertising networks.

There are several ways to listen to today’s TLF Podcast. You can press play on the player below to listen right now, or download the MP3 file. You can also subscribe to the podcast by clicking on the button for your preferred service. (And do us a favor, Digg this podcast!)

[display_podcast]

Finally, here’s some relevant links that were mentioned during today’s show:

• Chris Soghoian’s webpage + his Harvard Berkman Center page
• Chris’s blog (“Slight Paranoia”)
• Chris’s “TACO” (Targeted Advertising Cookie Opt-Out) plug-in for Firefox (and description of it on his home page)
• Chris’s “Caught in the Cloud” paper (+ a video of him presenting it at Harvard)
• The letter from 38 cybersecurity researchers that Chris sent to Google
• Berin Szoka’s response to Chris’s “Caught in the Cloud” paper
• Berin’s discussion of the issue of preserving user choice through permanent opt-out cookies